Searching for the silver lining of the US cloud

Di Gleria, Sonja

January 2022

We live in a society where more and more services are available online, and to an increasing extent, people expect that there should be a digital solution. The demand for digitalization of the public sector is increasing. However, at the same time, there are requirements for public activities to handle tax funds responsibly and not buy more expensive solutions than necessary. Here, cloud providers are often used to solve the equation of being both efficient and economical - and not least secure. The problem is that after a judgment in the Court of Justice in the European Union (Schrems II), cloud-based solutions supplied by US-based providers appear to be legally prohibited as their use violates the GDPR. GDPR complicates the digitization work by creating uncertainty about what a public organization is allowed to do. The research question to help shed light on this issue is “How can the public sector in Sweden use US cloud providers in the light of Schrems II?” This research uses design science as a research method to find the critical factors to support the use of US cloud service providers and use the factors as requirements. As the problem is practical, action research is used as a research strategy. The primary data collection methods are interviews of subject matter experts for their knowledge and direct insight into the problem, document research of mostly official documents as a knowledge base for the research with their validity and reliability, and a variant of brainstorming for new perspectives. Thematic analysis is used to analyze the results and help define the requirements for using US cloud providers in the public sector, along with explanation and root cause analysis. The GDPR is clear about third country transfers, but the additional laws and demands cause uncertainties on applying it and for which kind of data. The critical factors found are contributing laws, data classification, risk management, internal procurement,routines, employee knowledge level, and the need for documentation. These results led to a conclusion that open, public data is the only kind of data for which it is possible to use US cloud providers. After carefully examining the critical factors, some public organizations have chosen to use US cloud services for other data types, as they decided it was the safer choice. EU and the US have just agreed on the principles of a new trans-Atlantic data transfer treaty. This treaty must solve several problems to guarantee an adequate level of protection, and the probability that this will be met creates continued uncertainty in the affected organizations. One thing is clear - an organization that meets the critical requirements is firmly facing whatever future may come.

Schrems II

public sector

privacy

GDPR

Computer Sciences

Datavetenskap (datalogi)

Molnmigration efter Schrems II: Utmaningar och möjligheter / Cloud Migration after Schrems II: Challenges and possibilities

Wetterlund, Gustaf, Lind, Oscar

January 2023

År 2020 meddelade Europeiska domsstolen den så kallade Schrems II-domen som komplicerar hur europeiska verksamheter får använda amerikanska molntjänstleverantörer på grund av oförenliga lagar och regleringar mellan USA och EU vid hantering av känsliga uppgifter. Eftersom amerikanska molntjänstleverantörer dominerar den europeiska marknaden lever många verksamheter i en osäkerhet om de kan fortsätta använda deras verksamhetskritiska molntjänster. Denna studies syfte är att bidra med kunskap kring vilka möjligheter som finns för dessa verksamheter, samt undersöka vilka kontraster det finns mellan den svenska privata och offentliga sektorn efter Schrems II-domen. Den primära empiriska datan har samlats in genom kvalitativa intervjuer med totalt elva respondenter. Åtta intervjuer genomfördes med respondenter från svenska verksamheter från både privat och offentlig sektor med olika perspektiv och arbetsbakgrund inom IT med fokus på att identifiera de utmaningar som upplevs under molnmigrationer. Tre intervjuer genomfördes sedan med respondenter som är insatta i Schrems II-frågan för att identifiera möjligheter och bringa ytterligare klarhet på studiens frågeställningar. Studiens resultat visade att den offentliga sektorn har påverkats avsevärt mer än den privata sektorn av Schrems II-domen och identifierade följande möjligheter: En juridisk bedömning på nationell nivå inom Sverige för användande av amerikanska molntjänster skulle klargöra och underlätta för framförallt mindre myndigheter som i dagsläget måste göra bedömningen själv. Resultatet av den nya rättsliga ramen Trans-Atlantic Data Privacy Framework som eventuellt ersätter den ram som Schrems II-domen ogiltligförklarade skulle ge ny klarhet i vad som gäller juridiskt för verksamheter. Ett beslut av EU-kommissionen förväntas komma till sommaren 2023. Licensering av amerikanska molntjänstleverantörers produkter som bedrivs av svenska IT-leverantörer. / In 2020, the Court of Justice of the European Union announced the so-called Schrems II-ruling, which complicates how european businesses can use American owned cloud service providers due to incompatible laws and regulations between the US and the EU regarding sensitive data. Since American cloud service providers dominate the european market, many businesses are uncertain about whether or not they can continue to utilize their business-critical cloud services. The purpose of this study is to contribute knowledge about the possible opportunities for these affected businesses and to examine the contrast between the Swedish private and public sectors after the Schrems II-ruling. The primary empirical data was collected through qualitative interviews with a total of eleven respondents. Eight interviews were contucted with respondents from both the private and public sector with different perspectives and work background within IT, with a focus on identifying the perceived challenges during cloud migrations in the public and private sectors. Three interviews were then conducted with respondents who are knowledgeable about the Schrems II-issue to identify opportunities and gain further clarity on the study's questions. The study's results showed that the public sector has been significantly more affected by the Schrems II-ruling than the private sector and identified the followning possible opportunities: A legal assesment at the national level in Sweden for the use of American cloud services would clarify the uncertainty businesses experience today. It would esspecially aid smaller agencies that currently have to make the assessment themselves with limited resources. The outcome of the new legal framework, the Trans-Atlantic Data Privacy Framework, which may replace the framework invalidated by the Schrems II ruling, would provide new clarity on what is legally applicable to businesses. A decision by the EU Commission is expected in the summer of 2023. Licensing of American cloud service providers products operated by Swedish IT providers.

Cloud service

Cloud Migration

Schrems II

Molntjänst

Molnmigration

Schrems II

Information Systems, Social aspects

Molntjänster i kommuner: en studie om rättsliga och informationssäkerhetsmässiga aspekter kring arbetet med molntjänster / Cloud computing in municipalities: a study of legal and information security aspects around the work with cloud computing

Farah, Hamza Hayd, Aden, Ayan Ali

January 2020

I samband med digitaliseringens framfart hanteras, lagras samt används information av allatyper av verksamheter. Den ökade digitaliseringen av samhället har bidragit till en förhöjdefterfrågan av innovativa teknologier såsom molntjänster. Molntjänster är en populär teknik vilken erbjuder skalbara IT-lösningar på begäran över internet och vilken har signifikanta fördelar när det gäller kostnadsreducering och säker IT-drift. Trots de positiva aspekterna med molntjänster uppkommer nya rättsliga och säkerhetsmässiga problem vilka inte tidigare existerat i den traditionella IT-infrastrukturen, såsom datalokalisering samt säkerhet och integritet av information. Syftet med detta arbete är att analysera samt undersöka legala och säkerhetsmässiga åtgärder som de undersökta kommunerna vidtar vid hantering av information i molnet. Studien genomfördes i form av en kvalitativ studie, där sju semistrukturerade intervjuer utfördes. Resultatet tyder på att de undersökta kommunernas val av molntjänstleverantör beror på flertal aspekter såsom den geografiska placeringen av data samt säkerhet på information i molntjänsten. Vidare visar resultatet att kommunerna genomför åtgärder såsom att utbilda sina medarbetare samt klassificera information som kommer att lagras i molnet. / Information is handled, processed, stored, and used by all types of businesses as a result of progress in digitalization. The increased digitalization of society has contributed to an increased demand for innovative technologies such as cloud computing. Cloud computing is a popular technology that offers scalable IT solutions on demand over the Internet, and which has major advantages regarding cost reduction and secure IT operations. Despite the positive aspects of cloud computing, new legal and security issues are emerging which have not previously existed in the traditional IT infrastructure, such as data localization and the security and integrity of information. The purpose of this work is to analyze and investigate legal and security measures that the surveyed municipalities take when handling information in the cloud. The study was conducted in the form of a qualitative study, in which seven semi-structured interviews were conducted. The results indicate that the surveyed municipalities' choice of cloud computing provider depends on several aspects such as the geographical location of data and security of information in cloud computing. Furthermore, the results show that the municipalities implement measures such as training their employees and classifying information that will be stored in the cloud.

cloud computing

municipalities

GDPR

Cloud Act

Privacy Shield

Schrems II-domen

information security

digitalization.

molntjänster

kommuner

GDPR

Cloud Act

Privacy Shield

Schrems II-domen

informationssäkerhet

digitalisering

Information Systems, Social aspects

Digital distansundervisning och GDPR : Särskilt om Zoom vid Sveriges universitet och högskolor efter Schrems II-målet / Distance learning and GDPR : Especially about Zoom at Swedish universities after the Shrems II case

Andersson Rosengren, Pontus

January 2021

The ongoing Covid-19 pandemic has led to society being forced to switch to a digital presence, where physical meetings have been replaced by digital ones. For universities, this has meant that teaching and examinations have taken place through a special installation of the video conferencing service Zoom. Zoom is offered in a so-called on-premises installation which largely runs on private servers or instance, in Denmark. NORDUnet and Sunet are the providers of the special installation which has been given the “Sunet E-meeting”. For the service to work, personal data is processed. This data includes names and e-mail addresses, but also meeting data, gathered by the camera and audio feed, and IP-addresses. All personal data should be processed on the private instance according to the service description. To connect to the service, various options are provided, including installing a client provided by Zoom on a computer or smartphone. Another way to connect that does not require any installation is through a web client, also provided by Zoom.  One of Sweden’s universities recently discovered that a student who joined the meeting via the web client was connected to a public Zoom data center in the United States. Through network analyzes and the study below, it turns out that the web client is a form of exception in the service where traffic does not go directly to the private cloud. Instead, the traffic goes via Zoom's public cloud where traffic is at risk of going to various data centers both outside and within the European Union. This study of the service is based on the data protection legislation. Questions concerning the division of roles and responsibilities between the data controller and the processor, security concerns, the use personal data, processing, and third-country transfers has been done.  Following the Schrems II judgment, where the European Court of Justice ruled that the United States does not have an adequate level of protection regarding the protection of individuals' personal data, the possibilities of transferring personal data to the country were limited. Determining whether the usage of the cloud service means that personal data is transferred to the United States or not is therefore of great importance. This study concludes that a third country transfer has occurred at least once, which is not compatible within the data protection regulation. The study also shows the importance of knowledge of the service being used both by the controller and processor to ensure correct processing of the data.

Zoom

Videokonferens

GDPR

IT-säkerhet

tredje land

tredjelandsöverföring

Schrems II

personuppgiftsbehandling

personlig integritet.

Law (excluding Law and Society)

Tredje gången gillt? : En analys av EU-US Data Privacy Framework / Third time’s the charm? : An analysis of the EU-US Data Privacy Framework

Bjerselius, Nathalie

January 2023

Through the GDPR, the member states of the EU and the EEA countries ensure equivalent protection for personal data which is why personal data within this area can be transferred freely. Transfers of personal data to a country outside the EU/EEA area, such as the U.S., are only permitted under the General Data Protection Regulation (GDPR) under cer­tain conditions, including if the EU Commission has decided that the country in ques­tion en­sures an adequate level of protection. The EU Commission has previously adopted two such decisions for the U.S., based on Safe Harbour and Privacy Shield. Those decisions were, how­ever, struck down by the Court of Justice of the European Union (CJEU) in Schrems I and II since the CJEU did not consider that the U.S. could ensure an adequate level of protection for per­sonal data that was transferred from the EU to the U.S. In July 2023, the EU Commission announced that it had once again adopted an adequacy decision for the U.S. meaning that personal data can now flow freely from the EU to companies and organ­izations in the U.S. certified under the EU-US Data Protection Framework (EU-US DPF). The adequacy decision followed a presidential order signed by U.S. President Biden in October 2022, which introduced new security measures intended to remedy the problems iden­tified by the CJEU in Schrems I and II. On the one hand, the US intelli­gence agencies’ access to personal data is limited to what is proportionate. On the other hand, a data protection court is established.  The purpose of this essay is to examine whether the changes that the presidential order has given rise to has changed the legal situation after Schrems II in such a way that the U.S. can now be considered to ensure an adequate level of protection for personal data that is being transferred from the EU to the U.S. By analyzing the EU-US DPF against the background of the jurisprudence of the CJEU and the European Court of Justice, I find that this is not the case. The U.S. intelligence agencies’ use of and access to EU citizens’ personal data is still not lim­ited to what is proportionate and EU citizens whose personal data is processed still do not have access to an effective remedy to challenge surveillance measures. Thus, the new adequacy decision for the U.S. is likely to be struck down by the CJEU in the coming years. The conse­quences of such an invalidation are examined to some extent in this essay, particularly in rela­tion to other transfer mechanisms in Chapter V of the GDPR, namely standard contractual clauses and binding corporate rules.

EU-US Data Protection Framework

EU-US DPF

GDPR

tredjelandsöverföringar

adekvansbeslut

Schrems I

Schrems II

Safe Harbour

Privacy Shield

personuppgifter

Law

Juridik